sig.cisco.umbrellaField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | type | str
| vtype | | timestamp | timestamp
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| rawSource | |
sig.cisco.umbrella.auditField | Type | Extra fields |
---|
eventdate | timestamp
| | hostname | str
| | id | int4
| | timestamp | str
| | email_address | str
| | user | str
| | type | str
| | action | str
| | source_IP | ip4
| | before_change | str
| | after_change | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
sig.cisco.umbrella.dlpField | Type | Extra fields |
---|
eventdate | timestamp
| | hostname | str
| | timestamp | timestamp
| | event_type | str
| | unique_event_id | str
| | severity | str
| | identity | str
| | owner | str
| | name | str
| | application | str
| | destination | str
| | action | str
| | rule | str
| | data_classification | str
| | data_identifier | str
| | content_type | str
| | file_size | int4
| | sha256_hash | str
| | file_label | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
sig.cisco.umbrella.dnsField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | timestamp | timestamp
| | | mostGranularIdentity | str
| | | identities | str
| | | internalAddress | str
| | | internalIp | ip4
| | | externalAddress | str
| | | externalIp | ip4
| | | action | str
| | | queryType | str
| | | responseCode | str
| | | relative_domain | str
| | | domain | str
| | | categories | str
| | | mostGranularIdentityType | str
| | | identityType | str
| | | blockedCategories | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| rawSource | |
sig.cisco.umbrella.firewallField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | timestamp | timestamp
| | | originId | str
| | | identity | str
| | | identityType | str
| | | direction | str
| | | ipProtocol | str
| | | packetSize | int8
| | | srcIp | ip4
| | | srcPort | str
| | | dstIp | ip4
| | | dstPort | str
| | | dataCenter | str
| | | ruleId | str
| | | verdict | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| rawSource | |
sig.cisco.umbrella.intrusionField | Type | Extra fields |
---|
eventdate | timestamp
| | hostname | str
| | timestamp | timestamp
| | identities | str
| | identity_types | str
| | generator_id | int4
| | signature_id | int4
| | signature_message | str
| | signature_list_id | int4
| | severity | str
| | attack_classification | str
| | CVEs | str
| | IP_protocol | str
| | session_id | int4
| | source_IP | ip4
| | source_port | int4
| | destination_IP | ip4
| | destination_port | int4
| | action | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
sig.cisco.umbrella.ipField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | timestamp | timestamp
| | | srcIp | ip4
| | | srcPort | str
| | | dstIp | ip4
| | | dstPort | str
| | | categories | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| rawSource | |
sig.cisco.umbrella.proxyField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | timestamp | timestamp
| | | identities | str
| | | internalIp | ip4
| | | externalIp | ip4
| | | dstIp | ip4
| | | contentType | str
| | | verdict | str
| | | url | str
| | | referer | str
| | | userAgent | str
| | | statusCode | str
| | | requestSize | int8
| | | responseSize | int8
| | | responseBodySize | int8
| | | sha | str
| | | categories | str
| | | avDetections | str
| | | puas | str
| | | ampDisposition | str
| | | ampMalwareName | str
| | | ampScore | str
| | | identityType | str
| | | blockedCategories | str
| | | all_identities | str
| | | identity_types | str
| | | request_method | str
| | | dlp_status | str
| | | certificate_errors | str
| | | file_name | str
| | | ruleset_id | str
| | | rule_id | str
| | | destination_list_ids | str
| | | isolate_action | str
| | | file_action | str
| | | warn_status | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| rawSource | |
|